It’s no surprise that cybersecurity is a hot button issue—not just for financial firms, but for firms in other industries.
And regardless of the industry, many aren’t doing all that well in keeping out cyber intruders—though financial firms, which one might think would be on top of the issue, aren’t.
Of course, the financial industry makes a prime target, what with all those client accounts just sitting there oozing money.
In fact, at least one cybersecurity expert says hackers have 401(k)s in the crosshairs. They make such ideal targets—seldom checked by clients, just pools of money slowly growing in near-solitude—that they’re hard to resist.
Add to that the fact that both advisors and plan providers amass so much personal data on participants that in a hacker’s mind, it’s the mother lode—not just retirement assets but identities begging to be stolen.
Compliance firm RIA in a Box LLC has put together a list of 10 steps that RIAs can take to safeguard their systems from cyber attacks.
While it points out that the list is not “exhaustive,” firms that make sure they do all 10 will be much farther along the security path than firms that don’t.
1. Train your staff to identify suspect e-mails.
RIA in a Box points out that one should never open e-mails, click on links, or download suspicious attachments from unknown or even known senders.
It may seem obvious, but how easy is it to be in a hurry and just try to zip through the day’s e-mails?
And if you’re not expecting a document or other attachment from someone, take a minute to verify that person is actually the one who sent it—since hacked e-mails can lead to hacked accounts.
2. Install antivirus software on devices used to access client data.
And, says RIA in a Box, make sure subscriptions are active, and all updates are automatically installed.
That may be another seemingly obvious step, but how many times does an employee work on, say, a home computer rather than a laptop, and download—or upload—client files from there?
If said employee doesn’t have up-to-date antivirus software installed, there goes your office system security.
3. Do not allow clients to provide wiring instructions via e-mail.
And while you’re at it, RIA in a Box suggests that you confirm all transfers verbally, and have each client provide a secret word.
That way you’ll know the transfer instructions actually came from the client in question.
4. Don’t store client information on your firm’s internal server.
Instead, says RIA in a Box, use secure cloud storage providers, including a cloud backup service.
But do check out those providers thoroughly—no shortcuts here, lest your third-party provider be hacked because their own security measures weren’t up to date.
5. Require your staff to use different alphanumeric passwords to access each separate system.
Also, RIA in a Box points out that you should remember never to write down such passwords—did we remember to say never?—and all passwords should be updated automatically every three months.
6. Remember that even the best passwords aren’t foolproof.
That means that you should always require two-factor authentication for your staff to access all systems. That is, your staff has to provide two things, not just a password.
Otherwise, RIA in a Box points out that passwords could be the hacker’s way in.
7. Make sure your staff protects their own personal information on social media networks.
All too often, RIA in a Box says, hackers can pull such personal data off an employee’s Facebook page or LinkedIn presence, and then use that information to come up with answers to their personal security questions on your office system.
8. Never e-mail sensitive information to clients.
Secure client portals, okay—or secure e-mail. But not just a Gmail or other commercial account.
RIA in a Box would have you stop and think about just how easy it is for a hacker to step in and intercept the information you’re sending or requesting.
9. Never allow staff members to access the firm’s systems or conduct any business via unsecured internet connections when traveling.
So you’re in the airport and figure you can sign on, get a little work done while your plane’s delayed, or you’re waiting in the local coffee shop for a delayed client, and decide to send in that report.
But not so fast, says RIA in a Box. If it’s an open hot spot, anybody can sign on and pick up whatever you’re working on instead of tending to their own business.
10. Require all third-party system providers to sign confidentiality agreements in order to properly protect client information.
Remember step 4? This is another reason you need it.
RIA in a Box would advise that it’s not just a cloud storage provider or backup service that needs to be checked out.
The firm that services your network, or handles a host of other functions for you out of house, could have some gaps in its security.
Signing a confidentiality agreement won’t guarantee that such gaps are covered, but a firm conscientious enough to sign one will be more likely to have taken its own steps to protect its clients’—your—data.
How can you transform your risk management preparedness and response strategy into a competitive advantage?
Introducing ALM’s cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.